Hi, I'm working on a Regex for field extractions of an alert log. The log has 1 line per alert in the following format:
[11/26/2013 9:13:41 AM] Server1 LogTest: /var/log Ok Text Log test
[11/26/2013 9:13:36 AM] Server1 LogTest: /var/log Bad <......data.......> Text Log test
The difficulty comes when handling some OK statuses; you'll notice here that a 'Bad' status returns data (the relevant log lines), but an 'Ok' status returns a blank (actually 2 tabs) data section.
It seems like every regex I come up with will accidentally capture some part of Text Log test and use that as part of all of the data section when data isn't present.
Can I get some pointers on the proper regex expression? My current regex is below, and I think I've exhausted the guess and check method. :-)
]\t+\s+(?P<server>.+?)\s+(?P<category>.+?)\s(?P<object>.+?)\t(?P<status>.+?)\t(?P<data>.+?)\t(?P<test>.+?)